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Background 



Background: 

Phishing 
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Annual Phishing losses? 

- $15.6 billion in identity theft loss [FTC 2006] 

- $3.2 billion in phishing loss [Gartner 2007] 

- $61 million (with -0.2% actual victim rate, $200 median loss) [8] 
Characteristics: 



- -30,000 phishing domains per 6-month [apwg] 

- Weak vs. strong phisher (e.g., Rock-Phish & Avalanche) 

- Different ways to host a phish (e.g., compromised servers, free-hosting services) 

- Can be hard to take down (e.g., Rock-Phish & Avalanche use fast-flux IP switching) 

- Not all phishes detected (information asymmetry) 



Q: What is the optimal strategy of a phisher? 
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Background: 

Colonel Blotto game 



2-player constant-sum 

N 

Allocation of finite resources in n battlefields s ^-. 

Borel(1921) / 

\ 

\ 

\ 

Borel and Ville (1938) : symmetric resources, n=3 

Gross and Wagner (1950) : asymmetric resources, but solved n=2 only 

.. [complex, lack of pure strategies] .. 

Roberson (2006) : characterization of unique equilibrium payoff 
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Background: Colonel Blotto game 



Colonel Blotto: 

Limited resource =100 soldiers 



Application to Security? 
Information asymmetry? 



n=5 



stochastic complete coverage 
\ / \ / 35 \ / \ / 
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Attacker. 



stochastic guerrilla attack 




Symmetrical resource = 100 
Asymmetrical resource < 20 (trivial) 
Asymmetrical resource > 20 (complex!) 



Kovenock et al. (2010): 

- endogenous dimensionality 



Roberson (2006): 

- payoff w.r.t. resource asymmetry 




Modeling : Colonel Blotto Phishing (CBP) 



Modeling: 

Colonel Blotto Phishing game 
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Player: 



takedown company vs. phisher 



• Battlefield: a phish 

• Objective: maximize (minimize) fraction of phishes 

with more than a certain uptime 

• Resource: infrastructure, manpower, time 

(finite) (use it or lose it) (defender has more resources) 



Cost: 



low : use a free-hosting service 
medium : register a new domain 
high : compromise a server 
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Modeling: Colonel Blotto Phishing game 



• Stage: (1 ) create - detect 

(2) resist - takedown 
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Can phisher win in a detected battlefield? 

- No, if phisher's resource is much lower (total lock-down) 

- Yes, if phish survives a certain uptime 

• Not resolving phish URL at every access, or temporarily removing a phish [6] 

• Re-compromising a vulnerable server [7] 

• Fast-flux IP switching (e.g., by Rock-Phish & Avalanche) 
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Phisher: How many new phishes to create? 



max E(U w \n w ) = -E(\ n w j) + — aj '" w - cn w 



(1 - Pd)n, 



rid Ipr v , (1 — Pd)n w 
= — &{7V W ) H cn w 

n n 
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Roberson (2006) 
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Analysis Results 



Phisher's strategy C1 : 

Perfect Detection (same settings as in [4]) 



Nw * Optimal new phishes 
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weak attacker 
creates phishes 




strong attacker 
creates no new phish 
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Optimal utility 



(strong) attacker can 
always win a (sizable) 
fraction of battlefield 



•4 C 



2.x 10" 7 4.X10" 7 6.X10" 7 8.x 10" 7 1.x 10" 6 

weak attacker 
gets utility « 0 



• Resource asymmetry: strong attacker vs. defender = 1/2 

weak attacker vs. defender = 1/900 



Phisher's strategy C2: 

Imperfect Detection (exogenous) 

Optimal new phishes Uw * Optimal utility 



Nw* 





Weak attacker creates more new phishes 

Weak attacker hurts more as Pd increases 

better off, if Pd 1 : improve resources to resist takedown 
if Pd 0: lower cost to create more phishes 



Phisher's strategy C3: 

Imperfect Detection (endogenous) 



Optimal new phishes Uw * Optimal utility 




0.2 0.4 0.6 0.8 1.0 0.2 0.4 0.6 0.8 



• If new phishes increase detection rate 

- Registrars look for suspicious domain registration pattern [6] 

- 'Rock Phish' and 'Avalanche' phishes hosted on same domain [apwg] 

• Less phishes and utility 




Discussion & Summary 



Implications to Anti-Phishing Industry : ffw* 
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• Increasing cost of a phish 

- Affect a weak attacker more 

N 

X 

N 

- But can use stolen credit cards, or 'easy' domains (e.g., .tk, co.cc) [6] 

- 80% attacks used compromised servers [6,7] 

i 
1 

• Improving detection rate 

- Concerns for sharing among takedown companies 

- User reporting (not necessarily requiring user evaluation) can be helpful 

• Empirical estimation & prioritizing 

- Pd 0: make phishing cost higher 

- Pd 1: disrupt resources (e.g., access to botnet, underground market) 
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ummary 
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Colonel Blotto Phishing (CBP) 

V 

- Resource asymmetry 

V 

- Information asymmetry 

- Endogenous dimensionality 
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Applicability to web security problems 

- Two-step detect & takedown process 

Extensions 

- Competition between phishers -- Tragedy of the Commons? [8] 
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Thank you. Questions? 

Pern Hui Chia 

chia@q2s.ntnu.no 
John Chuang 

chuang@ischool.berkeley.edu 
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